DailyDirt: Passwords Suck, But What's Better?
from the urls-we-dig-up dept
Every service wants you to create a username and password… and it all begins to pile up after a while. Users try to make things easier for themselves by re-using passwords, but you’re really not supposed to do that. What are you supposed to do? Well, password management software exists, but only the truly paranoid folks spend the time to figure out which one of those is the one that works best for particular use cases and then actually set it up. (And then shit happens anyway.) Some companies are trying to figure out other solutions — here are a few of them.
- Apple has its fingerprint sensor, but a 4-digit PIN will be replaced by a 6-digit PIN soon. Yippee! It’s not much of an improvement, but a brute force attack will take a bit longer for the bad guys. [url]
- Would you want to replace a password with a brainwave measurement? Electroencephalograms (EEGs) could verify your ‘pass-thoughts’ for allowing access to a secure system. Maybe it’ll be harder to forget your ‘pass-thoughts’ or maybe it won’t? Or someone might say, “Don’t think about your password!” and run off with your EEG waves before you stop yourself from thinking… [url]
- Google is working on a way to identify users from their usage patterns — how different people type or swipe or interact. It’s supposedly “up to” 10x better than other methods, but what happens if you hurt your wrist or something? [url]
- Paypal is suggesting an ‘ingestible’ (embeddable or injectable) device to serve as a person identification dongle. Implanted devices better be painless to inject and remove! Is it safe? [url]
After you’ve finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.
Filed Under: authentication, biometrics, brainwaves, brute force attacks, dongles, eeg, ingestibles, pass-thoughts, passwords, pin, security
Companies: apple, google, paypal
Comments on “DailyDirt: Passwords Suck, But What's Better?”
This is just my opinion
But I wish people would stop thinking of biometrics as a replacement for passwords. Think of them as a replacement for your username, but not as a replacement for a password.
Re: This is just my opinion
You should think of biometrics as a replacement for privacy and liberty.
Re: This is just my opinion
Agreed. Once something is digitized, it becomes something that can be passed around on the interwebs.
It sure sounds like it might be more like personal recognition, but what if the identifying engine is only looking at a file, that might include some code to fudge a body temperature at the same time?
To that extent, with SSN’s and other data becoming so public, even with my passport and state issued photo drivers license, just how does one prove they are who they say they are?
Re: This is just my opinion
I think biometrics may be a good multi-factor authentication mechanism. Ie: you got the use, pass and biometrics then you can move in. I like those keys like Yubi or things like grid authentication or Google auth. I think in the end you should just have several somewhat easy keys/steps that together will allow access.
Re: This is just my opinion
Well we have been using biometrics for the password for the last 6 years with no problems. To enter secure areas or access certain services from the servers you enter your user-id and then your biometric scan must match for that user-id. For further security we have additional questions such as what was the color of the wall paper of your first apartment or other really obscure questions.
We feel strongly about the biometric we use because it has no law enforcement value and would be extremely hard to forge because the biometric is the vein pattern of a finger tip. The pattern is different finger to finger so you can use one finger for work and another for personal. Cutting off someone’s finger will not work as blood must be coursing through the veins. We even read blood pressure and oxygen content letting our employees know if they may need to see a doctor.
The point is that to eliminate fraud and to protect certain assets I need to be sure you are who you say you are and finger-vein technology is one of the best biometric passwords you can use. So I totally disagree with you and I say you are very wrong!!!!!!
Big changes in typing patterns...
I *usually* touch type with all ten fingers…until…I am eating with my other hand…or it is all wrapped up in a mitten with hot wax on it so as to apply deep heat…
I sort the passwords into the really valuable ones and the lesser valued ones, memorize just a few, and keep the rest in my little black book.
PayPal
PayPal wants me to ingest something of theirs? They are going to have to do a whole lot of work to get me to use their system for ANYTHING, let alone ingest something they condone, whether they built it or not. Just look at their track record.
Then after 10 or 15 years of watching their behavior I might think about the possibility of considering ingesting something they might suggest assuming FDA approval and 20 years of other people using it without ill effect.
So, not in my lifetime.
Re: PayPal
The biggest problem with any kind of ingestible or injectible ID is you’re telling crooks “I’ve got the key to my bank hidden in my stomache! Come get it!!” And many will not hesitate to do so. I would NEVER agree to any such ID, no matter what.
It’s a similar issue with biometrics – if your finger is the key to your stuff, crooks won’t hesitate to lopp it off to get the goodies.
Re: Re: PayPal
Obviously you not aware of finger-vein technology used in biometrics. If you lopp off the finger it will no longer work as blood must be coursing through the veins for a reading. Finger vein technology is a great biometric we’ve used for years.
Re: PayPal
What? Making it so easy to pay for stuff and send money around that they’ve become the default payment system for the Internet? Having a tech support system where it’s easy to reach a real human being? Running a mature, stable platform that’s been around since the 90s, so you can be confident it will still be there tomorrow?
Why would that track record make you want to not have anything to do with them?
Re: Re: PayPal
There are so many instances of PayPal screwing people over (and out of money) that I avoid them to the greatest extent possible. How much you trust them depends on your own comfort level, but “not at all” is a reasonable stance.
Re: Re: Re: PayPal
[citation needed]
A few times I’ve heard innuendos about how “everyone knows” that PayPal is evil and loves to screw its customers over. It’s a lot of the same stuff you hear about Google, except with even less in the way of actual examples of customers getting screwed over.
All I know personally is, I’ve been using PayPal pretty much forever and never once had a bad experience with their service.
Re: Re: Re:2 PayPal
Paywalled
Not Paywalled
Re: Re: Re:2 PayPal
You can find several, but probably not all instances with this link.
https://www.techdirt.com/blog/?company=paypal
Steve Gibson, the creator of spinrite, is just about to release a secure password replacement based on open key cryptography called SQRL. This link attempts to explain it for normal humans-
http://sqrl.pl/guide/
and this link is Gibson’s explanation which is fairly information dense.
https://www.grc.com/sqrl/sqrl.htm
Re: Re:
“and then on our website we store…”
NO.
Re: Re: Re:
“”and then on our website we store…””
I’m not seeing where they say this on the link above, nor on the link posted below…
Re: Re:
This seems solid. It’s simply using PKE in one the ways it was intended. But it’s unlikely I would use it, as it requires a privileged computing device in order to function. It eliminates the ability to log into stuff if you don’t have your smartphone/tablet/laptop/whatever with you.
Keypairs
In server-space public and private keys work pretty well. A server that accepts passwords to SSH in is basically inevitably a malware hive. A keyring works pretty well there. A dongle or similar to hold a bunch of keys, using changing keys could work. The biggest downside there I can see is 5th amendment protection doesn’t apply to objects but it does to your brain.
I'm with Phil
Phil Zimmerman solved this *20 years ago*: if I send you a message signed with my private key, you know it’s from me.
We use asymetric crypto for 2FA, but apparently not for one-factor authentication. Damned if I can work out why.
SQRL
The ultimate password solution is the open free Steve Gibson solution. See https://www.grc.com/sqrl/sqrl.htm.
Its so easy, it looks like it shouldn’t work. But is does.
I really don’t see the point of ‘biometric’ or any other form of physical identity as they can be easily duplicated.
Well, there is convenience, but such a device needs be universal.
Only something entirely in the user’s memory can’t be stolen.
Also, from a legal perspective, the courts could order the surrender of such a device, they can’t compel you to testify your password.
But let’s say we did have some universal biometric, such as a finger print reader, then governments could demand it as standard equipment and then know who you are with reasonable certainty all the time. You could be blocked from all internet connected devices. tracked.
Re: Re:
“I really don’t see the point of ‘biometric’ or any other form of physical identity as they can be easily duplicated.”
Not all forms are easily duplicated, but the vast majority are. The bigger problem, though, is this: If your physical identity is stolen, there’s no way for you to change your “credentials”. You’re simply screwed.
No way!
Ain’t nobody gonna inject anything in MY dongle!!!